tfctl 1.0.0.rc1 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7851ad9d647739e471f8d430dace8564f16f403f3a7e7ffb98e21384db641f53
-  data.tar.gz: d52713addc4006e2e67f5c3fce56941697d4a9edfb6bea08953c76eeb673c2f1
+  metadata.gz: b1825dfe2e3683c1ef8444460e5cd7baedde7424ec60de056a7a3351e69ad380
+  data.tar.gz: db929e7c2323d42c99719610e18bf5ef17277521ff69985b668e6f26ca71feea
 SHA512:
-  metadata.gz: 10f6a9bce18e905d787783a6f61a3f93724b4809d1c7f2c7e7c1edc155ba2c14b17a97096140f790c9b7e250dc4fd24f7af5c86fefea8139d25e1b15dddc65d3
-  data.tar.gz: 9e81ab6abbc15df5917ea6b23a1b167a2cd745e057d462ce0e28db47b27c6f12477c62293893c59f1977c5c406df31dbb797818fc27978b5bd9255a12bd86370
+  metadata.gz: 7288eadc3e15802584060d055a2dd51fa34aae5fe0fba8d4eefd69d3e654fa0bcdef3c05b9a410891f31b4b3f9564301350d6298f7fcdbdf175deef9ac236a74
+  data.tar.gz: c9515472d66fb6d6f423aaf2d01504901a2e42acf47aa6d59919d7737dc37f2817436e5364241afca523cd70cccf2082d0e791573aabb9ff55b3da42fcd760c2

data/.rubocop.yml

@@ -1,12 +1,12 @@
 ---
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.5
   DisplayCopNames: true
 
 Layout/IndentationWidth:
   Width: 4
 
-Layout/IndentHeredoc:
+Layout/HeredocIndentation:
   Enabled: false
 
 Layout/EmptyLines:
@@ -15,7 +15,7 @@ Layout/EmptyLines:
 Layout/EmptyLinesAroundMethodBody:
   Enabled: false
 
-Layout/AlignHash:
+Layout/HashAlignment:
   EnforcedHashRocketStyle:
     - table
   EnforcedColonStyle:
@@ -45,7 +45,7 @@ Metrics/BlockLength:
 Metrics/MethodLength:
   Enabled: false
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 140
 
 Metrics/AbcSize:
@@ -77,3 +77,7 @@ Style/TrailingCommaInHashLiteral:
 
 Style/RedundantReturn:
   Enabled: false
+
+# don't break older Rubies just because of style
+Style/RedundantBegin:
+  Enabled: false

data/.travis.yml

@@ -1,18 +1,19 @@
 rvm:
-  - 2.3
-  - 2.6
+- 2.5
+- 2.6
+- 2.7
 os: linux
 language: ruby
 script: make test
 jobs:
   include:
-    - stage: Gem release
-      rvm: 2.6
-      deploy:
-        provider: rubygems
-        api_key:
-          secure: FKAONS7x6koN7oiEULr4ViwjlDBzbE0bCgqhXRP4DfTtlRyEymeqgrfSIqkVH7unjd0muIGrMBnFuaQVSx7648RS1Ss0QAJo32SVnzoYl1P03cijqNmbbaf1jRdA3IGmh0gV5vsXrmlHiP8gfAuC9PqQ550OzxzWUvEI8vXgSTibmKd/PoQinv5g/dq0gBFjlhSMt/k3Z9WlMmkEsAro/r/Ie2M7mItHPT65f0ga5q5SeujPQQ3Sd/l3mznh37bmnw5RZpFDYdA7jL2p0Y58XJPBU8soa3ZC5GeHyxCYVoGh6EDGAFb83ERRT6rQ7ywkOufTv1o497P7a/prSbvT6fzc+DcugXPEaglT+dUXMe36OoF907Xva4vq3xIHV2N/yrxbDM85hmMk22wEU+9wpDDzFNQnfsXNbaHG9F7gLgy0eoTRrSuJf6cPDlE8pwvn7b8cjieeqWc//ZNhSYnHYZGER4LFINWVxs68Eofmmqp2IESTcUpJ8oB4bV+bzzyobJMRobOXu2hvgCrTdr6r/PnckpAfZE/l4nVQa14f1FU//8bU3DwvNun6TX1Ujp+XNiRDUlvP2KnkBU4s5rsIkL3lCHW7r6GipSk6SOvGMTz5eySMsoWvZQBdAzk/OxcIteeWH9pdo1Hbu5x2/bwyuTRCQ9E79CKWDKlIQwCgUY0=
-        gem: tfctl
-        on:
-          tags: true
-          repo: scalefactory/tfctl
+  - stage: Gem release
+    rvm: 2.6
+    deploy:
+      provider: rubygems
+      api_key:
+        secure: LAVcdER+LtQ2TSUrVOY7Be1BC7GXJRD0QBt386vRM5Nld5QaD9Ow9gtN6FprzkzloI4R8BkPWqZbAT6YjC+C0AFB5HK6iPwD2bLsiF9w3ccDD+yrW99RHxiErpmYMun2PqZv0WkJ/pkEplPCKMRFv7SM7W9DMRlU7dsXc1v6IVyIb5u3A04jErS2jXXKY0ijlCDJYVo8zzYL6yUmUcXhc//3CIVnu2Miu6Qr8h7e6jMXNUWfMkwEXsFP9id4TsCz7hRY+39PkiBAknHTN5UqjjJiEOknZnHeTBcVPvi2h2xv+fFLSzVTxlxaRsVoMCShQp5D12qzhQObRJsRVQFs8Yyg9IYMyPdxssFYyUZFaAy5taWDm57uM3HTHylm/Dq3LmXTgGNxWUUkf2oh1g7R6cYZpBUQwiEPzhZQ7CoBQbGUAJmH9ZU9m+cr8kuAOUipd6BNEDvn/fIH4WJsRCNP72JGX16JBpuICvpkuNhskZT91xFlYk1pTXHOxNpbTcxUTgMHhrTqspeRXPmf6DiYGvjMb2S6kaoGqCIRIcwl0TGKuMsOMqR9SqF8gubkqHMVbSl1E7mwBn4ke8/7IGoMkWOGwUpVxqVOLBHi6zSR09RTVSbKl4oiFV3ZwmVPSxDncq54MptyJ2WCZ7dD6ht2l+VA8iGwYeIoqOpwGWxyuNI=
+      gem: tfctl
+      on:
+        tags: true
+        repo: scalefactory/tfctl

data/CHANGELOG.adoc

@@ -1,6 +1,28 @@
 = Changelog
 
-== 1.0.0-rc1 (unreleased)
+== Upcoming
+
+== 1.2.2
+ * chore: reverted PR #11 - not necessary and introduced regression.  See PR #13 for details.
+
+== 1.2.1
+ * chore: added required Ruby version to Gemspec.
+
+== 1.2.0
+
+ * feat: pass TF_ environment variables to terraform (PR #11).
+
+== 1.1.1
+
+ * fix: handle empty response from Organizations API containing children (thanks @grothja)
+ * chore: stopped testing on EOL Rubies 2.3 and 2.4 (but should still currently work)
+ * chore: dependencies minimum version bump
+
+== 1.1.0
+
+* feat: look for configuration in `tfctl.yaml` by default.
+
+== 1.0.0
 
 * feat(config): JSON schema config validation
 * feat(config): added 'data' parameter

data/README.adoc

@@ -28,15 +28,16 @@ toc::[]
 
 == Overview
 
-Tfctl is a small Terraform wrapper for working with multi-account AWS
+`tfctl` is a small Terraform wrapper for working with multi-account AWS
 infrastructures where new accounts may be created dynamically and on-demand.
 
-It discovers accounts by reading the AWS Organizations API and can assign
+It discovers accounts by reading the AWS Organizations API, and can assign
 Terraform resources to multiple accounts based on the organization hierarchy.
 Resources can be assigned globally, based on organization unit or to individual
-accounts.  It supports nested OU hierarchies and helps keep your Terraform DRY.
+accounts.  It supports hierarchies of nested Organizational Units (OUs),
+and helps keep your Terraform DRY.
 
-Tfctl was originally developed to integrate Terraform with
+The Scale Factory originally created tfctl to integrate Terraform with
 https://aws.amazon.com/solutions/aws-landing-zone/[AWS Landing Zone] and
 https://aws.amazon.com/controltower/[Control Tower] but should work with most
 other ways of managing accounts in AWS Organizations.
@@ -57,7 +58,7 @@ other ways of managing accounts in AWS Organizations.
 == Requirements
 
  * Terraform >= 0.12
- * Ruby >= 2.3
+ * Ruby >= 2.4
  * Accounts managed in AWS Organizations (by Landing Zone, Control Tower, some
    other means)
 
@@ -65,17 +66,19 @@ other ways of managing accounts in AWS Organizations.
 
 To install the latest release from RubyGems run:
 
+[source,shell]
 ----
 gem install tfctl
 ----
 
-Alternatively you can build and install from this repo with:
+Alternatively, you can build and install from this repo with:
 
+[source,shell]
 ----
 make install
 ----
 
-== Docs
+== Documentation
 
  * https://github.com/scalefactory/tfctl/tree/master/docs/control_tower.adoc[Control Tower quick start guide]
  * https://github.com/scalefactory/tfctl/tree/master/docs/project_layout.adoc[Project layout]
@@ -85,23 +88,25 @@ make install
 
 == Running tfctl
 
-tfctl should be run from the root of the project directory.  It will generate
-Terraform configuration in `.tfctl/`.
+You should run `tfctl` from the root of your project directory.  It will generate
+Terraform configuration in `.tfctl/` (add this to your `.gitignore`).
 
 Anatomy of a tfctl command:
 
+[source,shell]
 ----
 tfctl -c CONFIG_FILE TARGET_OPTIONS -- TERRAFORM_COMMAND
 ----
 
-* `-c` specifies which tfctl config file to use (usually in `conf/`)
+* `-c` specifies which tfctl config file to use (defaults to `tfctl.yaml` in
+ current working directory if not set)
 * `TARGET_OPTIONS` specifies which accounts to target.  This could be an individual
   account, a group of accounts in an organizational unit or all accounts.
 * `TERRAFORM_COMMAND` will be passed to `terraform` along with any
   options.  See https://www.terraform.io/docs/commands/index.html[Terraform
   commands] for details.
 
-NOTE: You must have your AWS credentials configured before running tfctl or run
+NOTE: You must have your AWS credentials configured before you run `tfctl`, or run
 it using an AWS credentials helper such as
 https://github.com/99designs/aws-vault[aws-vault].
 
@@ -109,68 +114,78 @@ https://github.com/99designs/aws-vault[aws-vault].
 
 Show help:
 
+[source,shell]
 ----
 tfctl -h
 ----
 
 Show merged configuration:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -s
+tfctl -s
 ----
 
 List all discovered accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -l
+tfctl --all -l
 ----
 
 TIP: This can be narrowed down using targeting options and is a good way to
 test what accounts match.
 
-Run Terraform init across all accounts:
+Run `terraform init` across all accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- init
+tfctl --all -- init
 ----
 
-Run plan in `test` OU accounts:
+Plan Terraform across all accounts in the `test` OU:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -o test -- plan
+tfctl -o test -- plan
 ----
 
-Run plan in `live` accounts assuming that `live` is a child OU in multiple
+Plan Terraform in `live` accounts, assuming that `live` is a child OU in multiple
 organization units:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -o '.*/live' -- plan
+tfctl -o '.*/live' -- plan
 ----
 
-Run plan in an individual account:
+Run a plan for an individual account:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -a example-account - plan
+tfctl -a example-account - plan
 ----
 
-Run apply in all accounts:
+Apply Terraform changes across all accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- apply
+tfctl --all -- apply
 ----
 
-Run destroy in `test` OU accounts:
+Destroy Terraform-managed resources in all the `test` OU accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -o test -- destroy -auto-approve
+tfctl -o test -- destroy -auto-approve
 ----
 
 Don't buffer the output:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -a example-account -u -- plan
+tfctl -a example-account -u -- plan
 ----
 
 This will show output in real time.  Usually output is buffered and displayed
-after Terraform command finishes to make it more readable when running across
-multiple accounts in parallel.
+after the Terraform command finishes, to make it more readable when running
+across multiple accounts in parallel.

data/bin/tfctl

@@ -22,7 +22,7 @@ options = {
     ou:          nil,
     all:         nil,
     show_config: false,
-    config_file: nil,
+    config_file: 'tfctl.yaml',
     unbuffered:  false,
     debug:       false,
     use_cache:   false,
@@ -68,10 +68,6 @@ begin
 
     # Validate CLI arguments
 
-    if options[:config_file].nil?
-        raise OptionParser::MissingArgument, '--config-file'
-    end
-
     unless File.exist? options[:config_file]
         raise OptionParser::InvalidOption,
               "Config file not found in: #{options[:config_file]}"
@@ -104,7 +100,7 @@ end
 
 
 
-# Generates configuration and runs Terraform commands for a target account.
+# Execute terraform in target accounts
 def run_account(config, account, options, tf_argv, log)
 
     # Skip excluded accounts
@@ -145,6 +141,7 @@ begin
     log.info 'tfctl running'
 
     config_name = File.basename(options[:config_file]).chomp('.yaml')
+    config_name = 'default' if config_name == 'tfctl'
     log.info "Using config: #{config_name}"
 
     log.info 'Working out AWS account topology'

data/docs/configuration.adoc

@@ -1,7 +1,31 @@
-== Configuration
+// Settings:
+:idprefix:
+:idseparator: -
+ifndef::env-github[:icons: font]
+ifdef::env-github,env-browser[]
+:toc: macro
+:toclevels: 1
+endif::[]
+ifdef::env-github[]
+:branch: master
+:status:
+:outfilesuffix: .adoc
+:!toc-title:
+:caution-caption: :fire:
+:important-caption: :exclamation:
+:note-caption: :paperclip:
+:tip-caption: :bulb:
+:warning-caption: :warning:
+endif::[]
 
-Tfctl retrieves initial account configuration from AWS Organizations and merges
-it with configuration specified in a yaml file.
+= Configuration
+
+toc::[]
+
+== Overview
+
+`tfctl` retrieves initial account configuration from AWS Organizations and merges
+it with configuration specified in YAML format (`tfctl.yaml` by default).
 
 The configuration is merged in the following order:
 
@@ -44,11 +68,11 @@ organization_units:
 
 This will result in all three profiles deployed to accounts in `team` OU.
 
-TIP: You can display the fully merged configuration by running `tfctl -c
-conf/CONFIG_FILE.yaml -s`.  It's safe to run as it doesn't make any changes to
-AWS resources.  It's a good way to test your configuration.
+TIP: You can display the fully merged configuration by running `tfctl -s`.
+It's safe to run as it doesn't make any changes to AWS resources.  It's a good
+way to test your configuration.
 
-=== Defining arbitrary data
+== Defining arbitrary data
 
 You can define arbitrary data under the `data:` parameter, both in the root of
 the config and in the organization sections.  It will be available in Terraform
@@ -57,9 +81,19 @@ subnet ranges, s3 bucket names and so on.  `data:` in organization sections
 will be merged with accounts following the usual merge order as described
 above.
 
-=== Handling secrets
+== Handling secrets
+
+CAUTION: Do not commit secrets into your Terraform or tfctl configuration.
 
-No secrets should be committed into Terraform or tfctl configuration.  Use AWS
-Secrets Manager instead and retrieve in Terraform profiles using
+Instead, use AWS Secrets Manager and retrieve secrets in Terraform profiles using
+the
 https://www.terraform.io/docs/providers/aws/d/secretsmanager_secret.html[secrets
-manager data source]
+manager data source].
+
+== Configuration Schema
+
+The configuration file is validated using https://json-schema.org/[JSON Schema].
+
+The schema is defined in
+https://github.com/scalefactory/tfctl/blob/master/lib/tfctl/schema.rb[lib/tfctl/schema.rb]
+and is a good place to look up all available options.

data/docs/control_tower.adoc

@@ -1,17 +1,37 @@
-:toc:
-
-== Control Tower integration guide
+// Settings:
+:idprefix:
+:idseparator: -
+ifndef::env-github[:icons: font]
+ifdef::env-github,env-browser[]
+:toc: macro
+:toclevels: 1
+endif::[]
+ifdef::env-github[]
+:branch: master
+:status:
+:outfilesuffix: .adoc
+:!toc-title:
+:caution-caption: :fire:
+:important-caption: :exclamation:
+:note-caption: :paperclip:
+:tip-caption: :bulb:
+:warning-caption: :warning:
+endif::[]
+
+= Control Tower integration guide
 
 This guide will help you integrate Terraform with AWS Control Tower using the
 tfctl wrapper.  This involves setting up resources for remote state tracking,
 necessary IAM roles and a tfctl project.
 
-=== Overview
+toc::[]
+
+== Overview
 
 For state tracking we're going to create a dedicated `shared-services` account
 under a `mgmt` organization unit.  We'll use S3 for state storage and DynamoDB
 for locking.  `TerraformState` IAM role will be created for cross account
-access to state resources from the primary account.
+access to state resources from the primary AWS account.
 
 In the primary account we'll create a `TfctlOrgAccess` role.  It gives tfctl
 read only access to AWS Organizations which is used to discover accounts and
@@ -26,16 +46,17 @@ account factory and can be assumed from the primary account.
 We're going to create a `live` and `test` organization units in Control Tower
 and provision a couple of accounts for testing.
 
-=== Prerequisites
+== Prerequisites
 
 Before starting you'll need:
 
- * Control Tower set up in your primary account.
- * A user with `AdministratorAccess` privileges in primary account.
- * AWS CLI tools installed on your machine.
+ * An AWS account that is part of an Organization.
+ * Control Tower set up in your primary AWS account.
+ * A user with `AdministratorAccess` privileges in your primary AWS account.
+ * AWS CLI tools installed on your local machine.
  * Terraform 0.12 or higher.
 
-=== Configure Control Tower
+== Configure Control Tower
 
 Create the following organization units in Control Tower:
 
@@ -52,30 +73,35 @@ Then provision accounts:
 NOTE: Control Tower accounts need to be provisioned one at a time.  It takes
 approximately 20 mins to provision one.
 
-=== Install tfctl
+== Install tfctl
 
+[source,shell]
 ----
 git clone git@github.com:scalefactory/tfctl.git
 cd tfctl/ && sudo make install
 ----
 
-=== Set up AWS resources
+== Set up AWS resources
 
 It's assumed you have configured AWS CLI access to the primary account.
 
 We'll use CloudFormation templates in `examples/bootstrap/`.
 
-First export configuration using environment variables making sure to change to
-values to suit your set up:
+First export configuration using environment variables, making sure to change to
+values to suit your setup:
 
+[source,shell]
 ----
-export PRIMARY_ACCOUNT_ID=11111111
-export SHARED_SERVICES_ACCOUNT_ID=22222222
+# Change these to match your setup
+export PRIMARY_ACCOUNT_ID=123456789012
+export SHARED_SERVICES_ACCOUNT_ID=345678901234
 export STATE_BUCKET_NAME='example-terraform-state'
+export AWS_REGION=eu-west-1
 ----
 
 Create the remote state resources stack set:
 
+[source,shell]
 ----
 cd examples/bootstrap/
 
@@ -87,31 +113,34 @@ aws cloudformation create-stack-set \
     --execution-role-name AWSControlTowerExecution \
     --administration-role-arn arn:aws:iam::${PRIMARY_ACCOUNT_ID}:role/service-role/AWSControlTowerStackSetRole \
     --parameters ParameterKey=PrimaryAccountId,ParameterValue=${PRIMARY_ACCOUNT_ID} \
-    ParameterKey=TerraformStateBucket,ParameterValue=${STATE_BUCKET_NAME}
+    ParameterKey=TerraformStateBucket,ParameterValue="${STATE_BUCKET_NAME}"
 ----
 
-Create a stack set instance in you shared services account:
+Create a stack set instance in your shared services account:
 
+[source,shell]
 ----
 aws cloudformation create-stack-instances \
     --stack-set-name TerraformState \
     --accounts ${SHARED_SERVICES_ACCOUNT_ID} \
-    --regions eu-west-1
+    --regions ${AWS_REGION}
 ----
 
 Check status:
 
+[source,shell]
 ----
 aws cloudformation describe-stack-instance \
     --stack-set-name TerraformState \
     --stack-instance-account ${SHARED_SERVICES_ACCOUNT_ID} \
-    --stack-instance-region eu-west-1
+    --stack-instance-region ${AWS_REGION}
 ----
 
 NOTE: Initial status will be `OUTDATED`, it should change to `CURRENT` once deployed.
 
-Deploy `TfctlOrgAccess` IAM role stack:
+Deploy the `TfctlOrgAccess` IAM role stack:
 
+[source,shell]
 ----
 aws cloudformation create-stack \
     --stack-name TfctlOrgAccess \
@@ -122,70 +151,79 @@ aws cloudformation create-stack \
 
 Check status:
 
+[source,shell]
 ----
 aws cloudformation describe-stacks --stack-name TfctlOrgAccess
 ----
 
 NOTE: Successful status should read: `CREATE_COMPLETE`.
 
-=== Configure tfctl
+== Configure tfctl
 
 Copy the example project directory `examples/control_tower` somewhere convenient
-and edit `conf/example.yaml`.
+and edit `tfctl.yaml`.
 
 You need to modify the following parameters:
 
  * `tf_state_bucket` - set to `$STATE_BUCKET_NAME`
  * `tf_state_role_arn` - set shared services account ID
  * `tfctl_role_arn` - set primary account ID
- * `primary_account` - set the primary account name.  You can find it in AWS Organizations.
+ * `primary_account` - set the primary account name.  You can find it through AWS Organizations in the console.
 
 TIP: You should keep your project directory under version control.
 
-=== Deploy example tfctl profile
+== Deploy example tfctl profile
 
 The example profile will create an S3 bucket in accounts under `test`, `live`
 and `mgmt` OUs.
 
 NOTE: Run tfctl commands from the root of you project directory.
 
-First dump the configuration to verify everything works:
+First, dump the configuration to verify everything works:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml -s
+tfctl -s
 ----
 
-This will not make any changes but will print out a yaml containing the final,
+This will not make any changes but will print out YAML containing the final,
 merged configuration data.  It should contain a list of discovered accounts and
 their configuration.
 
-Initialise terraform for all discovered accounts:
+Initialise Terraform for all discovered accounts:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- init
+tfctl --all -- init
 ----
 
 Tfctl will run Terraform against all accounts in parallel.
 
-Run plan:
+`plan` the Terraform:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- plan
+tfctl --all -- plan
 ----
 
-and apply:
+and `apply` it:
 
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- apply
+tfctl --all -- apply
 ----
 
-To destroy created resources run:
 
+== Clean up
+
+To destroy created resources, run:
+
+[source,shell]
 ----
-tfctl -c conf/example.yaml --all -- destroy -auto-approve
+tfctl --all -- destroy -auto-approve
 ----
 
-That's it! You can now execute terraform across your Control Tower estate.
+That's it! You can now execute Terraform across your Control Tower estate.
 
 TIP: Your project directory should be under version control excluding the
 `.tfctl` directory which is automatically generated.

data/docs/creating_a_profile.adoc

@@ -1,9 +1,31 @@
-== Creating and deploying a tfctl profile
+// Settings:
+:idprefix:
+:idseparator: -
+ifndef::env-github[:icons: font]
+ifdef::env-github,env-browser[]
+:toc: macro
+:toclevels: 1
+endif::[]
+ifdef::env-github[]
+:branch: master
+:status:
+:outfilesuffix: .adoc
+:!toc-title:
+:caution-caption: :fire:
+:important-caption: :exclamation:
+:note-caption: :paperclip:
+:tip-caption: :bulb:
+:warning-caption: :warning:
+endif::[]
+
+= Creating and deploying a tfctl profile
 
 This guide will show you how to create a tfctl profile, declare some resources
 in it and deploy it to to a group of accounts in an organization unit.
 
-=== Create a new profile
+toc::[]
+
+== Create a new profile
 
 In your tfctl project directory create a new profile:
 
@@ -59,7 +81,7 @@ profile.  Tfctl configuration can be accessed using this variable. This It
 includes an array of all discovered accounts as well their parameters from
 tfctl config file.
 
-TIP: You can run `tfctl -c conf/CONFIG_FILE.yaml -s` to show the config data in
+TIP: You can run `tfctl -s` to show the config data in
 yaml format.  This exact data is available in the `config` variable in your
 profile.
 
@@ -87,7 +109,7 @@ resource "aws_s3_bucket" "example" {
 This will create an S3 bucket with a name containing the current account name
 (which will vary depending on which account it's deployed to).
 
-=== Assign profile to accounts
+== Assign profile to accounts
 
 Before you can deploy the new profile you need to tell `tfctl` which accounts
 to deploy it to.
@@ -102,7 +124,7 @@ You have few options here:
 For the sake of this example we're going to deploy our bucket to all accounts
 in `test` OU.
 
-In tfctl config file add the profile to the `test` OU:
+In `tfctl.yaml` add the profile to the `test` OU:
 
 [source, yaml]
 ----
@@ -113,13 +135,13 @@ organization_units:
 ----
 
 
-=== Plan
+== Plan
 
 To see what would happen when the change is applied run:
 
 ----
-tfctl -c conf/example.yaml -o test -- init
-tfctl -c conf/example.yaml -o test -- plan
+tfctl -o test -- init
+tfctl -o test -- plan
 ----
 
 This will run `terraform init` to initialise terraform and then `terraform
@@ -161,9 +183,9 @@ what went wrong.
 tfctl will generate a plan file automatically and use it with `apply` in the
 next step.
 
-=== Apply
+== Apply
 
 Once you're happy with the plan, apply it.
 ----
-tfctl -c conf/example.yaml -o test -- apply
+tfctl -o test -- apply
 ----

data/docs/iam_permissions.adoc

@@ -1,6 +1,26 @@
-== IAM roles
+// Settings:
+:idprefix:
+:idseparator: -
+ifndef::env-github[:icons: font]
+ifdef::env-github,env-browser[]
+:toc: macro
+:toclevels: 1
+endif::[]
+ifdef::env-github[]
+:branch: master
+:status:
+:outfilesuffix: .adoc
+:!toc-title:
+:caution-caption: :fire:
+:important-caption: :exclamation:
+:note-caption: :paperclip:
+:tip-caption: :bulb:
+:warning-caption: :warning:
+endif::[]
 
-Tfctl usually requires three IAM roles to be configured:
+= IAM roles
+
+`tfctl` usually requires three IAM roles to be configured:
 
  * `TfctlRole` - read only access to AWS Organizations set up in the primary account.
  * `TerraformStateRole` - access to remote state resources (S3, DynamoDB) in the
@@ -8,7 +28,7 @@ Tfctl usually requires three IAM roles to be configured:
  * `TerraformExecutionRole` - configured in all spoke accounts and used for executing Terraform.
 
 The user executing tfctl needs permission to assume all three roles cross
-account.  Tfctl will assume roles automatically for you.
+account. Once these are configured, tfctl automatically assumes roles for you.
 
 It's possible to configure different Terraform execution roles in different
 spoke accounts based on OU or account names.  This can be used to restrict

data/docs/project_layout.adoc

@@ -1,10 +1,29 @@
-== Project layout
+// Settings:
+:idprefix:
+:idseparator: -
+ifndef::env-github[:icons: font]
+ifdef::env-github,env-browser[]
+:toc: macro
+:toclevels: 1
+endif::[]
+ifdef::env-github[]
+:branch: master
+:status:
+:outfilesuffix: .adoc
+:!toc-title:
+:caution-caption: :fire:
+:important-caption: :exclamation:
+:note-caption: :paperclip:
+:tip-caption: :bulb:
+:warning-caption: :warning:
+endif::[]
+
+= Project layout
 
 Example project structure
 ----
 project_dir/
-├── conf
-│   └── example.yaml
+├── tfctl.conf
 ├── modules
 │   └── s3-bucket
 │       ├── main.tf
@@ -16,7 +35,9 @@ project_dir/
         └── variables.tf
 ----
 
-=== tfctl configuration file
+toc::[]
+
+== tfctl configuration file
 
 Assigns Terraform profiles and configuration to accounts based on:
 
@@ -29,7 +50,12 @@ The configuration data is exposed to terraform via a profile `config` variable.
 It also defines Terraform and tfctl configuration such as state tracking and
 what IAM roles to use.
 
-=== profiles
+By default, tfctl will use `tfctl.yaml` in its current working directory.  You
+can specify a different file using `-c`.  Multiple configurations are supported
+in the same project directory and generated data will be stored separately for
+each config file in `.tfctl/`.
+
+== `profiles`
 
 Profiles are re-usable collections of resources which can be applied to
 accounts.  They are implemented just like usual modules but provide an
@@ -38,6 +64,6 @@ other data sources).  Profiles often compose multiple modules and provide
 configuration data to them.  This approach makes it possible to re-use standard
 modules (e.g. Terraform module registry).
 
-=== modules
+== `modules`
 
 Standard Terraform modules.

data/lib/tfctl/aws_org.rb

@@ -71,23 +71,25 @@ module Tfctl
             @aws_org_client.list_children(
                 child_type: 'ORGANIZATIONAL_UNIT',
                 parent_id:  parent_id,
-            ).children.each do |child|
-
-                begin
-                    ou = @aws_org_client.describe_organizational_unit(
-                        organizational_unit_id: child.id,
-                    ).organizational_unit
-                rescue Aws::Organizations::Errors::TooManyRequestsException
-                    # FIXME: - use logger
-                    puts 'AWS Organizations: too many requests.  Retrying in 5 secs.'
-                    sleep 5
-                    retries += 1
-                    retry if retries < 10
-                end
+            ).each do |resp|
+                resp.children.each do |child|
+
+                    begin
+                        ou = @aws_org_client.describe_organizational_unit(
+                            organizational_unit_id: child.id,
+                        ).organizational_unit
+                    rescue Aws::Organizations::Errors::TooManyRequestsException
+                        # FIXME: - use logger
+                        puts 'AWS Organizations: too many requests.  Retrying in 5 secs.'
+                        sleep 5
+                        retries += 1
+                        retry if retries < 10
+                    end
 
-                ou_name = parent_name == :root ? ou.name.to_sym : "#{parent_name}/#{ou.name}".to_sym
+                    ou_name = parent_name == :root ? ou.name.to_sym : "#{parent_name}/#{ou.name}".to_sym
 
-                output[ou_name] = ou.id
+                    output[ou_name] = ou.id
+                end
             end
             output
         end

data/lib/tfctl/config.rb

@@ -48,7 +48,7 @@ module Tfctl
             @config.to_json
         end
 
-        # Filters accounts by account property
+        # Filters accounts by an account property
         def find_accounts(property_name, property_value)
             output =[]
             @config[:accounts].each do |account|
@@ -88,7 +88,6 @@ module Tfctl
 
         # Retrieves AWS Organizations data and merges it with data from yaml config.
         def load_config(config_name, yaml_config, aws_org_config)
-
             # AWS Organizations data
             config = aws_org_config
             # Merge organization sections from yaml file

data/lib/tfctl/schema.rb

@@ -29,7 +29,7 @@ module Tfctl
             def main_schema
                 iam_arn_pattern = 'arn:aws:iam:[a-z\-0-9]*:[0-9]{12}:[a-zA-Z\/+@=.,]*'
 
-                # rubocop:disable Layout/AlignHash
+                # rubocop:disable Layout/HashAlignment
                 {
                     'type'       => 'object',
                     'properties' => {
@@ -61,7 +61,7 @@ module Tfctl
                     ],
                     'additionalProperties' => false,
                 }
-                # rubocop:enable Layout/AlignHash
+                # rubocop:enable Layout/HashAlignment
             end
 
             def org_schema

data/lib/tfctl/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tfctl
-    VERSION = '1.0.0.rc1'
+    VERSION = '1.2.2'
 end

data/tfctl.gemspec

@@ -23,14 +23,16 @@ Gem::Specification.new do |spec|
     spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
     spec.require_paths = ['lib']
 
+    spec.required_ruby_version = '>= 2.5.0'
+
     # Think when adding new dependencies.  Is it really necessary?
     # "The things you own end up owning you" etc.
-    spec.add_dependency 'aws-sdk-organizations', '~> 1.13'
+    spec.add_dependency 'aws-sdk-organizations', '~> 1.40'
     spec.add_dependency 'json_schemer',          '~> 0.2'
-    spec.add_dependency 'parallel',              '~> 1.17'
+    spec.add_dependency 'parallel',              '~> 1.19'
     spec.add_dependency 'terminal-table',        '~> 1.8'
 
     spec.add_development_dependency 'guard-rspec', '~> 4.7'
-    spec.add_development_dependency 'rspec',       '~> 3.8'
-    spec.add_development_dependency 'rubocop',     '~> 0.76'
+    spec.add_development_dependency 'rspec',       '~> 3.9'
+    spec.add_development_dependency 'rubocop',     '~> 0.84'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tfctl
 version: !ruby/object:Gem::Version
-  version: 1.0.0.rc1
+  version: 1.2.2
 platform: ruby
 authors:
 - Andrew Wasilczuk
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-10 00:00:00.000000000 Z
+date: 2020-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-organizations
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '1.40'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.13'
+        version: '1.40'
 - !ruby/object:Gem::Dependency
   name: json_schemer
   requirement: !ruby/object:Gem::Requirement
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.19'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '1.19'
 - !ruby/object:Gem::Dependency
   name: terminal-table
   requirement: !ruby/object:Gem::Requirement
@@ -86,28 +86,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.76'
+        version: '0.84'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.76'
+        version: '0.84'
 description: 
 email:
 - akw@scalefactory.com
@@ -135,12 +135,12 @@ files:
 - examples/bootstrap/terraform-exec-role.template
 - examples/bootstrap/terraform-state.template
 - examples/bootstrap/tfctl-org-access.template
-- examples/control_tower/conf/example.yaml
 - examples/control_tower/modules/s3-bucket/main.tf
 - examples/control_tower/modules/s3-bucket/variables.tf
 - examples/control_tower/profiles/example-profile/data.tf
 - examples/control_tower/profiles/example-profile/main.tf
 - examples/control_tower/profiles/example-profile/variables.tf
+- examples/control_tower/tfctl.yaml
 - lib/hash.rb
 - lib/tfctl.rb
 - lib/tfctl/aws_org.rb
@@ -164,15 +164,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Terraform wrapper for managing multi-account AWS infrastructures